Share this post

Link to post

Share on other sites

Yes and no. There's a lot of C5 trunks that're still out there. They're by no means the only the only way in and out of the country, though.

For example, the island nation of Palau has trunks via Intelsat that use C5 (and g.726 apparently). But they also have another route in and out of the country.

Then there's the Genesys meeting center. See, the company (now part of Intercall, actually. I have no idea how you'd sign up specifically for this platform) runs a conference service in the Asia Pacific region of the world, and strangely enough, there's two access numbers that'll terminate there over C5; 866-284-3437 and 3438. You might have to call them a few times to get a good route; it's sort of the luck of the draw.

I think that one is a pretty clear case of tromboning. See, a RESPORG lookup shows the number goes over Verizon's ex-MCI/0222 network. The actual access number in Singapore, among other countries like Malaysia and Japan, are all available in random places on the internet. I've called all of them - or at least I think all of them from the exact same network, and not had any luck getting that route. A large conferencing company like this one would likely have the resources in place for this sort of operation too. For whatever it's worth, someone once mentioned to me they found a PIN for the conference (which by itself is pretty harmless; they're given out publicly, and can't be used to start a conference without the moderator PIN), and contacted an operator in the US from the service. At no point did it touch a C5 route.

Then there's Argentina. Once again, MCI comes into the picture. Well, sorta. Like with the weird Malaysian thing, this route seems to only come into play in certain scenarios. If you try calling it, for example, over AT&T, you'll hear this; 877-655-0054. One C5 chirp. But over MCI? 877-278-9344. Two C5 chirps! No idea how that's routing exactly, but the really cool bit too is if you get the distant platform to hang up on you, you'll hear the sound of a reorder coming from the international gateway switch on AT&T's route. We think that's an EWSD; one revision of EWSD hardware will have call progress tones that fade sorta in and out like that reorder. There's another that for whatever reason, has completely different sounding call progress tones.

If you're wondering why exactly it is these exist in 2016, the answer is actually pretty simple: capacity.

In the T1 standard American/Japanese/Canadian networks use, there's a capability to do what's called bit robbing. Basically, in a mu-Law or a-Law PCM stream, there's 8 bits per sample. If you have no other way of telling the network whether your phone is on or off hook, you can rob the eighth bit of every sample to do that.

In the E1 standard (used everywhere else), you can't do this. Most of the time it doesn't matter, because you can dedicate one of the spare call channels to do something like SS7 (there's also some way to send inband tones over a dedicated signaling channel. I'm not sure exactly how that works for supervision). But in this case, they never did that - probably because they felt it was too important to sacrifice an entire call channel when they didn't need to. So since you can't rob any bits in the PCM stream, they have to use tones like on the analog carrier systems to let the network know whether your phone is on-hook or not.

Anyway, assuming you're still awake after all that, you can try seizing these if you want. You're kinda on your own, though - the stakes for international telecommunications fraud are pretty damn high, and as such, the people who still use C5 or anything like it tend to be pretty good at making sure their equipment is the only thing that can seize it. My guess is once the seize tone is sent from the transmitting end, they won't let the trunk be seized again until the present call has hung up. This happens when the network sends a burst of 2600 back in your direction (it'll ignore it if it's sent from your direction), which at least in this case, will instantly throw you off the trunk. If you really want to get anywhere with this, you'll have to find some way to keep it from doing that when whatever is on the other end hangs up.

EDIT: It also might be possible to seize the call before it goes offhook (makes the 2400 hertz cheep), but you'll have to be fast. That may not even be an option on something that answers instantly like this.

Share this post

Link to post

Share on other sites

You're kinda on your own, though - the stakes for international telecommunications fraud are pretty damn high, and as such, the people who still use C5 or anything like it tend to be pretty good at making sure their equipment is the only thing that can seize it.

"Yes! I got Siggy going on THEIR line! (*3-3-3* *ka-chunk*) What a way to reset a trunk."

Share this post

Link to post

Share on other sites

I figured we should start a list of countries that still use CCITT5 for international calls. It would be cool to get a list of country codes and prefixes.

For testing this stuff I recommend using Blue Beep on DosBox, which is available from Text Files via the Wikipedia article. Use the one with the source code, as its more up to date.

Check out this text file Blue Boxing in the Late 90s for more information on how this stuff works.
The CIA World Factbook has information on the phone systems in use in every country in the world. World Factbook

Share this post

Link to post

Share on other sites

I was pretty active back in 2009/2010 with exploration and scanning, this is to the best of my recollection

In the UK there was some widely shared numbers that in the 90s were C5 directs as well as being free to call (0800 numbers), by 2009-2010 time only two remained: Bahamas on 0800 890 135 (it had some kind of filter on and you wasn't able to seize at any point during the call) and Paraguay on 0800 890 595, outside of the capital city sometimes numbers in Paraguay would travel over C5 routes too.

In addition to this pre-earthquake calls to certain parts of Haiti would travel over C5 lines when you called numbers outside of Port-au-Prince, post earthquake in 2011 they for obvious reasons no longer worked. As far as numbers I'd have to dig through my old notes which are put away goodness knows where. Cuba was a place that I was planning on scanning before I became too busy with life and dropped out, I believe they have (had?) a mixture of the latest Chinese stuff in Havana and some of the older Soviet era crossbar stuff.

2

Share this post

Link to post

Share on other sites

0800 890 595 is now a (quite rare) example of the equipment engaged tone.

I haven't done much looking for interesting switching/signalling since the early 2000s. It's got more difficult now because most people and businesses in poor countries have jumped straight to GSM (+successors).

Back then, it would (as radio_phreak notes) be much more productive to look in the provincial towns and cities of poor countries than in their main cities.

My preferred method was to look online for hotels or businesses in those backwater areas, ideally finding their fax numbers, and call those. Much prefer bothering a fax machine than disturbing a person.

Now-a-days you need to do this armed with the country's dialling plan (wikipedia usually has these) - and most of the numbers you find will be mobiles.

Re Cuba, I can't reach the supposed second dialtone for the US base via +53 99.

The state telco is marketing the "fija alternativa" service - ie a GSM-based fixed service - suggesting aged and interesting POTS equipment exists.

Calling from here, it's evident that their international gateway is something not outrageously ancient, because it promptly returns an appropriate SS7 code for incorrect prefixes -

eg +53 41 000000 returns the usual SIT+"the number you have dialled has not been recognised" from my local exchange.

+53 xx 300000 returns a Cuban intercept - in Spanish then English - after about 5 seconds of delay, where XX is any of the 2-digit areacodes listed at https://en.wikipedia.org/wiki/Telephone_numbers_in_Cuba. Sadly no signalling sounds are evident during the delays - I think I've tried all of them.

I had a quick look for hotels in Panama and all the phone numbers I found were +507 6xxx xxxxx - ie mobiles.

However, again, I'm hopeful that downstream of the international gateway is something elderly and interesting.

Share this post

Link to post

Share on other sites

There's another number to that; 3438. If you're hitting a route that gives you g.729 (sorta ruins that catchy song), it's not a bad idea to try both a few times. Interestingly, the transcoding seems to come on after the C5 chirps; those (and sometimes some Australian sounding ring) are always clear as day.

So now when I found this - I actually think I found it with radio_phreak, but when I did, I was about as excited as you can expect. But something wasn't quite right. If you do a RESPORG lookup on 3438/7, it comes back as using the MCI/0222 network. If you call the number directly terminating to the Malaysian destination (you'll find it with a bit of searching) over MCI though, it's end to end SS7. After trying a bunch of carriers with no success, the theory we wound up with is that they were re-originating via a third party country; likely Australia, to shave a few cents off termination charges.

Interestingly, when you hop on a conference on that access number, it'll allow you the option to contact customer service for the company, which is based out of Denver. The route you get is _definitely_ not C5.

For whatever it's worth, there was another number until semi-recently; 3439 that routed a little differently. Usually it was more likely to get a transcoded route, or other weird things - one route had 450 hertz ringback before the call went offhook quite a lot . But anyway, for whatever it's worth, during Hurricane Sandy it gave you an error recording from a Santera OCX. If I remember right, the other numbers worked fine though.

One thing I've noticed is during that song they play for hold music, sometimes it likes to disconnect you in weird ways. The hold music in question passes some notes a few times that definitely sound like 2400 hertz, so I wonder if that has anything to do with it (maybe we should pay attention to the supervision status), or if it's just an apathetic operator hanging up on you. Incidentally, when the call tears down with 2600, you'll hear this curious reorder tone from the international gateway that sorta fades in and out. Based on this, I wonder if it's a type 1 EWSD: https://pastebin.com/q1dvEcVw .

So this isn't exactly C5, but a while ago, I found some Axtel DMS logs on Scribd. No, seriously. You can see from there they have quite a few R2 trunks provisioned for end users: 142785363-switch-a.pdf . We were playing with this on the bridge a few months ago - something I sorta want to get into again at some point; a few people seemed pretty excited about it. There's one particular number, +52-818-114-1500 (on the AX2P42 trunk group; labeled STA_CATARINA_CALL_CENTER_PBX_R2. If you look at page 224, you'll see the trunk group type configuration for this and many others; there's a bunch of R2 trunks with generic labels) that will send a backwards 4 in MFC (780 + 1140 hertz)to the switch - indicating a network error when it messes up. Which it occasionally does. Dunno how or if these can be seized, but it seemed worth mentioning.

Speaking of which, I don't have the number for this; I had the bright idea of putting it on the speed dial for a calling card and then letting it expire, but Russia has some sort of strange signaling - perhaps another R2 variant floating about in their network. This particular call I remember being to Siberia: weirdmfs.flac . A lot of their switches use whatever this is. It enables them to send vacant number conditions and such over their signaling network. All I do here besides try and hit some DTMF is whistle 2600 twice; once to seize the trunk, and another time to make the switch get all angry. The tones you hear are the standard R1 frequency set, but obviously an R1 trunk never barks MFs back at you.

EDIT: Crap, I forgot about the Cuba stuff. From what I understand, Havana if no other place has a reasonably modern network of Alcatel gear. As for the fixed GSM terminals, there's some older documents on Cuban telecom infrastructure lying around. All of them seem to point towards the Cuban fixed network being very over capacity. That could have something to do with that particular addition.

As for Paraguay, radio_phreak mentioned to me a while back a particular set of numbers that would route to C5 trunks over some carriers. I believe it was +595-528-222-xxx.

Back to the C5 stuff though, does anybody know where we can find a protocol spec document for it? That'll probably help us with some of the oddities we've found on some of these trunk groups.

One (hopefully) last thing - for anybody looking for international credit, I've found http://www.call2.com to be pretty good for the most part. Most of their routes look to be resold MCI, the rates are reasonable, and it tends to be decent quality. It is a callback service though, so it can be a little clunky for a large number of calls like in a scan. DMS-10 loops can be a good way to make this a little less painful. I feel kinda gross giving out a plug like that, but given the relative obscurity of the service and the content of the thread, it seems appropriate.

Edited August 5, 2017 by ThoughtPhreaker

4

Share this post

Link to post

Share on other sites

Strange telephone systems (from a westerner's viewpoint anyways) are pretty normal for Russia. The Soviet-era 300 MHz analog cellular system in eastern Russia and Siberia is still sometimes known to get relayed across the Pacific by the aging FLTSATCOM (maybe also UFO?) birds (essentially just simple carrier-squelch FM repeaters in space that happily relay any audio they hear as long as it falls within the transponders' passbands) along with the Brazilians on 240-270 MHz...

UFO 6 Tp. 20 (255.550 MHz) (Best coast) is very popular with Brazilian pirates. Shared frequency with FLTSATCOM 8 (East coast) so there's more or less nationwide coverage. Put it in your scanner before you head off for a long road trip and monitor away. It also wouldn't hurt to know how to speak Portuguese.

1

Share this post

Link to post

Share on other sites

Woah! Are there any recordings of this? Or better yet, any way to access this network over the phone? I can't exactly see Russia from my house, but I'm on the very western tip of the US. Just say the word and I'll throw up a phone patch, SDR, and whatever antenna works well for VHF.

Edited August 5, 2017 by ThoughtPhreaker

1

Share this post

Link to post

Share on other sites

Woah! Are there any recordings of this? Or better yet, any way to access this network over the phone? I can't exactly see Russia from my house, but I'm on the very western tip of the US. Just say the word and I'll throw up a phone patch, SDR, and whatever antenna works well for a phone patch.

It needs a little bit of setting up antenna wise but other than that the first port of call is uhf-satcom.com then look in the UHF section, he may have some recordings. Years back (actually now that I come to think of it, back in 2009-2010 time) there was some analog C-band phone patches that were still up and relaying traffic from Morocco and Algeria. Essentially for that though you needed a big ol' dish (like 3m iirc) and a C-band LNB after which you tuned in to the IF of the signal and voila! In the clear conversations 70% in Arabic, 29% French and 1% in English if I remember correctly.

Share this post

Link to post

Share on other sites

There are also long-range cordless (home) telephones that operate between 250 and 390 MHz. This thread speaks of them: https://forums.radioreference.com/satcom-space-satellite-monitoring-forum/309366-251-275-conus-phone-conversation.html

Brands are "Senao" and "Alcon". No doubt those also get picked up by the satellites and relayed.

Share this post

Link to post

Share on other sites

Here it is, I knew I had that text file around somewhere. It's not actually cellular at all nor is it AMPS so I guess my memory's becoming corrupted in my old age. It sounds like it should be an odd hybrid of AMPS and IDEN though it no doubt preceded the latter by at least a generation and probably also preceded the former by some length of time. I mean, they *did* get a spacecraft into orbit years before our filthy Western capitalist bureaucracy ever did, after all. I personally have yet to hear any such communications on sat frequencies but I admit I haven't really much attention to that frequency range. (I think just the sheer novelty of hearing the Brazilian pirates ("voices from far-away places" my mother recently described it) on the lower frequencies eclipsed it. Maybe someday I'll get lucky.)

While the PAC constellation may lack Brazilian pirates, it has its own source of unintended signals not found on CONUS or LANT satellites: Russian mobile telephones. Some areas of Russia (and the former Soviet Union generally) are still served by a non-cellular trunked analog mobile telephone system, called Altai, that operates in the 300-344 MHz range. Certain TACSET uplink frequencies are shared with those of Altai base station outputs, whose signals often make their way up to (and are retransmitted by) PAC region transponders whose uplinks are on those frequencies. The Altai system dates from the Soviet era and long predates the UHF TACSAT system, so this unintended traffic has presumably been an issue from the very beginning of TACSAT deployment.

I called this one twice this afternoon. First time I got the music that almost talks the call down, few 2600 tweeps and it hung up, second time it rang (Argentinian ring!), couple 2600 tweeps, guy answered and spoke Spanish for a moment, hung up with 2600 and went to gateway reorder.

I think I kind of like this one ;)

6843 and 9433 went to Pat Fleet CBCAD.

you'll hear this curious reorder tone from the international gateway that sorta fades in and out.

I kind of got nostalgic for Stromberg XY days hearing that! I wouldn't be surprised by that if it's an EWSD.

Share this post

Link to post

Share on other sites

I'd give it a week or so; they still have the weird tromboning arrangement to hit the C5 trunks set up. If it was going to be gone for good, they would've gotten rid of that.

Looks like you were right; the number is going to a Singtel not in service announcement now. I guess now is our golden opportunity to try and figure out what it's routing over. The carrier tromboning their way over to what's probably Singapore (actually, does Singtel have any end offices in Malaysia? The C5 circuits were always on specifically Malaysian conference numbers. For whatever it's worth, I tried routing to them explicitly over the Singtel direct service and it never gave me any C5 cheeps) will cycle through several routes before eventually giving up.

I guess after Intercall and Genesys merged, the old Genesys stuff was considered redundant. It was always really hard to find conference numbers on this thing. I always chalked it up to non-Americans not feeling the impulse to share everything; US conferences are disproportionately easier to find than, say, Canadian or Mexican ones. But shut down plans probably make more sense.

Edited September 17, 2017 by ThoughtPhreaker

1

Share this post

Link to post

Share on other sites

Some recordings came to me from a source that I trust of phone calls from Russia and around the Baltic area in general, taken 2 or so months ago and in a few of the recordings you'll sometimes hear tones before people answer the phone. I'll put a compilation together soon-ish and upload here for people to hear. The audio can be tinny in places, nothing I can do about that unfortunately.

2

Share this post

Link to post

Share on other sites

Some recordings came to me from a source that I trust of phone calls from Russia and around the Baltic area in general, taken 2 or so months ago and in a few of the recordings you'll sometimes hear tones before people answer the phone. I'll put a compilation together soon-ish and upload here for people to hear. The audio can be tinny in places, nothing I can do about that unfortunately.

We know that in Russia and the former soviet states -- there's much more to be had than CCITT5 still. Me and one or two of the other BinRev people have located about a dozen or so (still finding new ones) switches in that area that still use in-band 2600 signaling -- even more surprisingly, these switches use 2600 SF/Dial Pulse signaling rather than MF!

2 of said switches we've managed to find out a way to reliably bluebox/SF-box -- and there's one that is still a work in progress, and it is yet to be determined whether it's SFable or not.

1

Share this post

Link to post

Share on other sites

We know that in Russia and the former soviet states -- there's much more to be had than CCITT5 still. Me and one or two of the other BinRev people have located about a dozen or so (still finding new ones) switches in that area that still use in-band 2600 signaling -- even more surprisingly, these switches use 2600 SF/Dial Pulse signaling rather than MF!

2 of said switches we've managed to find out a way to reliably bluebox/SF-box -- and there's one that is still a work in progress, and it is yet to be determined whether it's SFable or not.

That is awesome work, I did send ThoughtPhreaker a quick clip of one of the recordings via email, I'm sure he'll get around to replying eventually.. A bunch of new recordings landed on my lap over night so I've made a start on them too, way too much for one person to do quickly so I'll get a clip together of the ones I've got now and the rest will come along as and when I can get to them.

0

Share this post

Link to post

Share on other sites

Sorry I've been so hard to get ahold of! It's been a busy month (though in about a week, that'll change). I've still been scanning and confing and stuff - and occasionally helping Technotite with the Eastern European switches, but I've been farming a lot of the former out to my computers. If nothing else, I've found a way to make scanning way more efficient without having to deal with automatic signal processing.

EDIT: This isn't C5, but I found it interesting and still relevant to the thread. 18677709599.wav

Sorry about the automatic gain control. If you're curious what it was outpulsing, it's KP+867-920-3660+(KP2)<pause>KP+0-770-9599-ST. Try pressing 0 when the queue system bumps you to voicemail; you'll wind up at the main auto-attendant, and given the run of the PBX. Also, that PBX appears to have a hundred block dedicated to it.

Edited February 28, 2018 by ThoughtPhreaker

1

Share this post

Link to post

Share on other sites

"You sound very strange without carrier all over your head." -Al Bernay

I just got really crappy-sounding (heavily bit-starved) instrumental music after a lengthy silence of about 15 seconds followed by some bit-robbing. From the sound quality it sounds like they're using CELP or very low-bitrate GSM encoding and sending it over scratchy Bell System T-carrier. I must have hit a bad route. Betcha I hit that one crappy Portland-Seattle trunk group that does that.

I am guessing my long distance carrier (Commielink/Level -3) mutes MF signalling hence the long silence. It's where the signals would be in your recording.

But did you hear how the T-carrier noise in your recording kind of "sings" along with the MFs? That's how Kaiser's prescription computer sounded a couple years ago. There's probably some analog gear with companding in that part of the connection somewhere.